Despite a good amount of hype on the run up to the General Data Protection Regulation (GDPR), for most small and medium size businesses, not a huge amount has changed. So, was it worth all the fuss that was made during the period before GDPR came into force on 25 May 2018, and has it changed the way businesses treat the personal information they hold?
What is the General Data Protection Regulation?
The General Data Protection Regulation was published in the Official Journal of the EU on 4th May 2016 and, 20 days later, on 25th May 2016, the Regulation came into force. It didn’t apply, however, until 25 May 2018, allowing organisations to prepare and to put the necessary processes in place for compliance. Now that the General Data Protection Regulation is in effect, it is directly enforceable in all EU member states, including the UK.
How does GDPR differ from our previous Data Protection Act 1998?
The GDPR is made up of many of the principles that we were already (or should have been) following under the Data Protection Act 1998. The Act provided a clear set of obligations to protect people’s personal data, requiring us to take our data protection responsibilities seriously and only processing that personal data when we had clear lawful grounds to do so.
GDPR brought in a new set of obligations, particularly around the accountability of businesses for data processing, for instance requiring well documented training and policies, and regarding the content of privacy notices.
The changes, though, while requiring additional documentation and paperwork, should not have altered the practices of most businesses that were already complying with the Data Protection Act.
For businesses with customer service at their core, GDPR should have made little difference, and for most organisations, including insurance brokers, already complying with the Data Protection Act, GDPR has, in fact, simply made our obligations around ‘consent’ clearer than ever.
What is ‘consent’?
Perhaps one of the main changes introduced by GDPR was ‘consent’.
If, as a business, you are relying on consent – either for the purposes of processing personal data or for sending marketing communications) then it must be clear and it must be given freely for those purposes.
A year on and there is still some confusion over ‘consent’ and whether it is always needed in order to send marketing communications. While we await the results of the legislation coming out of GDPR compliance breaches, though, it is worth bearing in mind that, under the Privacy and Electronic Communications Regulations (PECR), consent is not necessarily needed in order to market to existing customers, and an opt out when collecting that data, together with an unsubscribe link within communications, may suffice.
Despite this, a number of businesses have destroyed sections of their marketing records, seeking fresh consent for their entire database, whether they had already received consent or, simply, didn’t need it.
In fact, the Information Commissioner’s Office (ICO) recommends that, while the GDPR sets a high standard for consent, often it won’t be needed and that, if consent is difficult, a different lawful basis can be looked for. It says:
· Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.
· Check your consent practices and your existingconsents. Refresh your consents if they don’t meet the GDPR standard.
· Consent requires a positive opt-in. Don’t usepre-ticked boxes or any other method of default consent.
· Explicit consent requires a very clear and specific statement of consent.
· Keep your consent requests separate from other terms and conditions.
· Be specific and ‘granular’ so that you get separate consent for separate things. Vague or blanket consent is not enough.
· Be clear and concise.
· Name any third party controllers who will rely on the consent.
· Make it easy for people to withdraw consent and tell them how.
· Keep evidence of consent – who, when, how, and what you told people.
· Keep consent under review, and refresh it if anything changes.
· Avoid making consent to processing a precondition of a service.
· Public authorities and employers will need to take extra care to show that consent is freely given, and should avoid over-reliance on consent.
Getting GDPR compliance wrong
There was much talk, before GDPR came into effect, about the fines that would be put into force for compliance breaches.
The ICO is the UK's independent body set up to uphold information rights, including covering legislation around the General Data Protection Regulation.
At the present time, we are yet to see fines as a result of GDPR compliance issues – all ICO fines issued since 25 May 2018 have been for breaches under the old Data Protection Act. It’s likely that the fines imposed for GDPR breaches will be higher in the future but these will probably not be seen until 2020.
GDPR and cyber insurance
There’s a growing interest in cyber insurance, and for good reason. As our reliance on technology to do business develops, so does the threat to the security of that technology, in the form of cyber crime.
No one – whether individuals, small businesses or large organisations – is safe from cyber crime. Cyber insurance can help to protect your business from the losses that cyber crime can cause – in terms of expenses and regulatory fines – should a data breach occur. But cyber insurance should be a last resort – a contingency for if all else fails, and it’s vital that businesses work to mitigate the chances of data breaches and cyber crime.
Cyber insurance can help to cover the cost of some regulatory fines, but it is worth noting that they will only be covered to the extent that they’re insurable by law and this is still something that will be tested in the course of time as cases go through the courts.
Moving forward with GDPR
In our continuously changing and fast-paced digital world, technology and the wider marketplace in which we operate means data protection– and cyber security – is ever more precarious. For all businesses, including those in the insurance arena, data protection and compliance with the General Data Protection Regulation should remain top of the agenda, even a year on from the implementation of GDPR.